DOT Federal Automated Vehicle Policy: Accelerating the Next Revolution in Roadway Safety (Draft Guidance)
What it does
Provides guidance to industry and regulators for safe design, state policy recommendations, and regulatory tools for highly automated vehicles (HAVs).
The Federal Automated Vehicles Policy (FAVP) was developed and released by the National Highway Transportation Safety Administration (NHTSA) in support of the Department of Transportation’s (DOT) view that the broad release of highly automated vehicles (HAV) can benefit public safety, mobility and sustainability. HAVs are defined as vehicles that “can take full control of the driving task in at least some circumstances.” The new Policy provides recommendations intended to speed the delivery of an initial regulatory framework for HAVs and guide manufacturers, suppliers, and other entities in the safe design, development, testing, and deployment of HAVs. The proposed guidance and request for comments was announced on September 23, 2016 in response to the emerging technology (81 FR 65703).
This guidance applies to (1) systems that can perform the entire driving task without reliance on the driver to pay continuous attention to the driving environment, as well as those that assist the driver; (2) all vehicles that are tested and deployed for use on public roadways, including light-, medium-, and heavy-duty vehicles; and (3) any organization testing, operating, and/or deploying automated vehicles. This includes both auto manufacturers and suppliers as well as non-traditional companies, including technology companies and fleet operators.
The policy has four key parts: (A) Vehicle Performance Guidance for Automated Vehicles, (B) Model State Policy, (C) NHTSA’s Current Regulatory Tools, and (D) Modern Regulatory Tools.
(A) Vehicle Performance Guidance for Automated Vehicles should be considered by entities manufacturing, designing, testing, and/or planning to sell automated vehicle systems in the US. This section includes a fifteen-point “Safety Assessment” for the deployment of automated vehicles to the general public, to ensure systems will be “reasonably safe under real-world conditions.” Cross-cutting guidance areas of the safety assessment that are applicable to all vehicle automation functions include:
- Data Recording and Sharing: Documented processes for testing, validation, and collection of data for recording system malfunctions, degradations, and failures to identify their causes and to facilitate information sharing, knowledge building, and crash reconstruction.
- Privacy: Considerations and protections for user privacy based on federal and manufacturer privacy policies that ensure transparency, choices on data collection and retention, respect for context, minimization and de-identification of sensitive data, data protection, data integrity and access, and accountability.
- System Safety: Engineered safety practices to support reasonable system safety.
- Vehicle Cybersecurity: Approaches to guard against vehicle hacking risks and industry sharing.
- Human Machine Interface: Approaches for communicating information to the driver, occupant, and other road users external to the vehicle.
- Crashworthiness: Verification that occupants and other road users will be protected in crash situations according to NHTSA crashworthiness standards.
- Consumer Education and Training: Development, documentation, and maintenance of employee, dealer, distributor, and consumer programs to address anticipated differences in the operation of HAVs compared to conventional vehicles.
- Registration and Certification: Submission of motor vehicles’ identifying and descriptive information (49 CFR 566, Manufacturer Identification), including HAV-specific details. Manufacturers should also provide on-vehicle means to communicate the key capabilities of the HAV system to human drivers, including new information added following post-sale software updates.
- Post-Crash Behavior: Documented processes for the assessment, testing, and validation of HAV reinstatement for service after involvement in a crash.
- Federal, State and Local Laws: Documented plans for how vehicles are programmed to comply with all applicable federal, state, and local traffic laws.
- Ethical Considerations: Intentional and transparent decision rules regarding conflicts that may arise between driving objectives, particularly among safety, mobility, and legality.
The remaining elements of the safety assessment are specific to each automation function:
- Operational Design Domain (ODD): Definition for how and where the HAV is supposed to function and operate, including roadway types, geographic area, speed range, and environmental conditions.
- Object and Event Detection and Response: Documented processes for perception and response functionalities of the HAV system and the human driver during normal and crash avoidance conditions.
- Fall Back (Minimal Risk Condition): Documented process regarding the detection of HAV system malfunction, operation in a degraded state, or operation outside of an ODD; mechanisms should also inform the human driver, enabling the individual to regain proper control or allowing the HAV to return to a safe location, given the current driving conditions and circumstances.
- Validation Methods: Testing, validation, and verification of the HAV system that ensures a high level of safety.
NHTSA will request that HAV developers voluntarily provide reports regarding how the guidance has been followed. This reporting process may be refined and made mandatory through a future rulemaking, possibly requiring a company’s submission of a Safety Assessment to NHTSA for each HAV system that outlines how they are meeting this guidance at the time they intend their product to be ready for public roads.
(B) Model State Policy distinguishes between federal and state responsibilities for HAV regulation and recommends policy areas to help states generate a sufficiently consistent national framework for the testing, deployment, and operation of HAVs. Vehicles operating on public roads are subject to both jurisdictions; the Model State Policy confirms that states retain responsibility for vehicle licensing and registration, traffic laws and enforcement, and motor vehicle insurance and liability regimes, while the regulation of motor vehicles and equipment will remain a federal responsibility. However, since the motor vehicle itself performs the “driving” task, the DOT would be responsible for “licensing” the HAV. The areas covered by the Model State Policy framework include:
- Structure and processes to administer requirements regarding the use of public roads for HAV testing and deployment;
- Application by manufacturers or other entities to test HAVs on public roads;
- Jurisdictional permission to test HAVs, which can allow or deny individual manufacturers the ability to test in particular areas (e.g., school zones);
- Testing by the manufacturer or other entities, to include only individuals with applicable training, licensure, and background;
- Drivers of deployed vehicles, which may be a human driver at lower automation levels, or the vehicle at higher levels. States are being asked to address gaps that occur due to the transition from human drivers to automated vehicles;
- Registration and titling of deployed vehicles, which would create a new “HAV” data field for registration;
- Considerations for training and educating law enforcement for interacting with HAVs and their occupants; and
- Allocating liability and insurance responsibilities among owners, operators, passengers, and manufacturers.
(C) NHTSA’s Current Regulatory Tools outlines the current regulatory tools available to NHTSA to support safe development of HAV technologies, including interpretations, exemptions, notice-and-comment rulemaking, and defects and enforcement authority.
(D) Modern Regulatory Tools proposes for consideration new authorities, tools, and resources for policymakers to aid the safe and efficient deployment of HAVs.
New authorities include:
- Safety Assurance: Methods and tools for vehicle manufacturers and other organizations to provide pre-market testing, data, and analyses to DOT to demonstrate that the organization’s design, manufacturing and testing processes apply NHTSA’s vehicle performance guidance. Use of these tools would not require additional statutory authority.
- Pre-Market Approval: NHTSA would require additional statutory authority to inspect and affirmatively approve new technologies, which is a departure from the agency’s current self-certification system; a large increase in agency resources would also be necessary.
- Cease and Desist: Requires manufacturers to take immediate action to mitigate safety risks that are serious and immediate and therefore constitute “imminent hazards.” A statutory amendment would be necessary to give NHTSA this authority.
- Expanded Exemptions: Raising the cap on the number of vehicles subject to exemption and/or expanding the length of time of exemptions to facilitate the safe testing and introduction of HAVs; a statutory change would be necessary.
- Post-sale Regulation of Software Changes: This authority would clarify NHTSA’s existing ability to regulate over-the-air software changes (i.e., wireless updates) in HAVs that may potentially occur throughout the lifetime of the vehicle. NHTSA has the authority to regulate the safety of software changes; however, it may need new tools and rules to regulate the certification and compliance of these changes.
New tools include:
- Variable Test Procedures: Expand vehicle testing methods to create test environments more representative of real-world environments. A clarifying amendment to the Vehicle Safety Act (49 U.S.C. 301 et seq.) could confirm that the agency’s existing authority covers this activity.
- Functional and System Safety: Make mandatory the fifteen-point Safety Assessment envisioned in the Vehicle Performance Guidance for Automated Vehicles. NHTSA has authority to require reporting, but may need additional authority to allow it to ensure that manufacturers take all steps to verify, validate and debug the HAV software.
- Regular Reviews: Regular reviews of standards and testing protocols to keep current with the rapidly evolving technology. NHTSA currently has applicable authority to conduct innovation impact analyses, provide for regular reassessments, and establish sunset clauses.
- Additional Recordkeeping and Reporting: Manufacturers and other entities could be required to submit test plans prior to beginning any HAV testing on public roads. NHTSA could use its existing authority to require manufacturers to submit reports showing they are in compliance with the Vehicle Safety Act.
- Enhanced Data Collection: Enhance data recorders and greater reporting requirements about the performance of HAVs. NHTSA currently has authority to request reports from manufacturers who use enhanced data collection techniques.
New resources include:
- Network of Experts: A community of scientific and technical leaders would help NHTSA broaden its expertise and enhance its knowledge on emerging HAV technologies. Members could share expertise on specific topics to help NHTSA form independent conclusions. NHTSA could establish this network under its existing authority.
- Special Hiring Tools: NHTSA needs to be able to develop in-house expertise in science, technology, engineering, and mathematics related to HAV development; however, NHTSA has observed that there is a shortage of suitable candidates. Direct hiring authority, term appointments, and greater compensation flexibility would help NHTSA attract these experts. A delegation from the Office of Personnel Management would be necessary for the direct hiring authority, and a statutory amendment may be necessary to provide greater pay flexibility.
<p>In 1966, the National Traffic and Motor Vehicle Safety Act granted NHTSA authority to issue vehicle safety standards and require manufacturers to recall vehicles that have safety-related defects or do not meet federal safety standards. The act is now referred to as the Vehicle Safety Act and was most recently recodified in 2008.</p>
<p>Manufacturers are required to self-certify that all of the vehicles they manufacture for use on public roadways comply with all applicable <a href="http://stnw.nhtsa.gov/cars/rules/import/FMVSS/">Federal Motor Vehicle Safety Standards</a> (FMVSS). The first standard became effective on March 1, 1967. If a vehicle is compliant with all FMVSS and maintains a conventional vehicle design, there is currently no specific federal legal barrier to selling a HAV. NHTSA would exercise its defects, recall, and enforcement authority for HAV to ensure public safety.</p>
<p>The current federal and state responsibilities for motor vehicle operation include:</p>
<li>Setting safety standards for new motor vehicles and motor vehicle equipment;</li>
<li>Enforcing compliance with the safety standards;</li>
<li>Investigating and managing the recall and remedy of non-compliances and safety-related motor vehicle defects on a nationwide basis;</li>
<li>Communicating with and educating the public about motor vehicle safety issues; and</li>
<li>When necessary, issuing guidance to achieve national safety goals</li>
<li>Licensing (human) drivers and registering motor vehicles in their jurisdictions;</li>
<li>Enacting and enforcing traffic laws and regulations;</li>
<li>Conducting safety inspections, when States choose to do so; and</li>
<li>Regulating motor vehicle insurance and liability.</li>
<p>The Supreme Court has also found that <a href="https://scholar.google.com/scholar_case?case=11849892906598605652&hl... laws may be preempted</a> if they stand as an obstacle to the accomplishment and execution of a NHTSA safety standard.</p>
<p>The FAVP observes the <a href="http://www.sae.org/automotive/">SAE International</a> (SAE) definitions for levels of automation to define the term “Highly Automated Vehicle.” SAE is a global professional association of over 128,000 aerospace, automotive, and commercial-vehicle engineers and technical experts, and is recognized as the world's largest developer of standards for the automotive and aerospace industries. The SAE definitions for automation divides vehicles into six levels ranging from no automation to full automation based on “who” does what:</p>
<li>SAE Level 0: No automation</li>
<li>SAE Level 1: Driver assistance</li>
<li>SAE Level 2: Partial automation</li>
<li>SAE Level 3: Conditional automation</li>
<li>SAE Level 4: High automation</li>
<li>SAE Level 5: Full automation</li>
<p>A key distinction exists between level 2, where the human driver performs part of the driving task, and level 3, where the automated driving system performs the entire driving task. Level 3 and above indicates the vehicle is a HAV. NHTSA expects manufacturers to classify their HAV system(s) as described by these definitions.</p>
- HAVs, also known as autonomous or driverless vehicles, require several different technologies to function. First, they require sensors to collect visual and location data. Visual sensors can include light imaging detection and ranging (LIDAR), radio detection and ranging (RADAR), or cameras, or a combination of all three. Each technology has its own advantages and disadvantages, so multi-sensor systems are often used so the strengths of one sensor offsets the weakness of another. LIDAR can produce a 3D map 100 meters around a vehicle, but they produce large amounts of data and do not perform well in rain or snow. RADAR is effective at detecting object distance and motion. It does not have the detail of LIDAR, but it is effective in a variety of weather conditions. Cameras can see in color, and therefore are potentially the best at object recognition, but they require the most data of the three types of sensors.
- Computer vision entails collecting the visual sensor data, processing it using a computer, and interpreting it in a way that is useful to the vehicle, such as ignoring background scenery or recognizing a road hazard before applying the brakes.
- For location data, HAVs use powerful on-board computers to produce local maps using sensor data. Local maps give the location of the vehicle relative to the objects in the environment. Global Positioning Sensor (GPS) equipment can provide a vehicle’s absolute location, but local maps are required when GPS data are not available, such as inside a parking garage.
Types of Automation
- There are currently two types of vehicles being developed that use these key technologies: semi-autonomous and autonomous vehicles. Semi-autonomous vehicles require a driver to perform some aspects of driving. The driver may be able to leave some control to the vehicle, but the driver remains ultimately responsible for driving. Fully autonomous vehicles, or, more simply, autonomous vehicles, do all the driving, and do not require a steering wheel or pedals. The operator will provide instructions to the vehicle, and the vehicle will perform all the control and navigation.
- Highly automated vehicles will introduce several challenges related to the human-machine interface, including procedures for how a human driver will intervene if the HAV gets into a situation it cannot resolve on its own and the driver has lost skills due to lack of practice. This leads to an issue called the “handoff problem” where a driver may not be attentive to the car and has degraded skills, but suddenly has to take control in an emergency situation that the HAV was not designed to resolve. Engineers are challenged, therefore, to design HAV displays that provide useful, understandable information to the vehicle operator, but keep the operator informed at all times so he or she can quickly take control in emergencies.
Background for the Safety Assessment Letter outlined in first part of the policy, Vehicle Performance Guidance for Automated Vehicles:
- The human-machine interface affects consumer education and training. More complex displays will necessarily require some degree of training for the owner. However, over-the-air updates introduce a challenge of how and when to educate the owner when an update represents a substantial change in the user interface. In addition, features that do not get used often can be forgotten. This is a particular problem for emergency features that need to be accessed quickly, but are rarely needed.
- Data sharing and recording for HAV will take several forms. Dedicated Short-Range Communications, dedicated bandwidth within the electromagnetic spectrum, will facilitate vehicle-to-vehicle and vehicle-to-infrastructure communication of vehicle locations, hazards, and traffic signals. Vehicle data will also be collected to reconstruct events using vehicle control inputs (e.g., turn, brake), performance (e.g., speed, onboard diagnostics) and GPS information. Software updates that keep vehicle features up-to-date will be delivered over-the-air, as is the current procedure at Tesla. Finally, consumers can expect expanded “infotainment” features when they are no longer responsible for driving the vehicle that stream additional data to and from the vehicle.
- Extending data sharing capabilities further exposes HAV to cyber threats (e.g., unauthorized access, attacks, and damage) through wireless and physical entry points. NHTSA is proposing multiple levels of vehicle cybersecurity, including encryption, isolating critical systems from outside access, constantly monitoring for unauthorized access, and instant responses to detected attacks. NHTSA also recommends improving these protections by encouraging data sharing among industry stakeholders.
- System Safety is “the application of systems engineering and systems management to the process of hazard, safety and risk analysis to identify, assess and control associated hazards while designing or modifying systems, products, or services.” In short, it is designing systems with a focus on removing potential hazards at their source.
- Several HAV validation methods (testing and verification of the system) have appeared in the market. Tesla Autopilot was released to customers in 2015 through an over-the-air update. Tesla is able to collect performance data from its customers to inform future updates, including higher levels of autonomous control. Google is employing professional engineers and drivers to collect performance data to improve its systems. Volvo will be testing performance in 100 customer driven vehicles on a Swedish highway during their 2017 Drive Me program.
Michael Clamann, PhD, CHFP, SciPol Lead Editor Robotics and Artificial Intelligence, Senior Research Scientist, Duke Robotics
Endorsements & Opposition
In general, automakers and some safety advocates have been supportive of the guidelines as they address the emerging patchwork of state regulations that could potentially slow the development and release of HAV.
- The Alliance of Automobile Manufacturers (which represents 12 automakers) supported the release of an adaptive guidance, stating, "Guidance is the right action to take since the technology is developing quickly and collaboration between automakers and NHTSA is critical to avoid policies that become outdated and inadvertently limit progress in reducing the number of crashes and saving lives. A policy that evolves is smart given the pace of technology.”
- John Bozzella, CEO of the Association of Global Automakers, was similarly supportive of the adaptive policy, stating, “[Our] members remain committed to working with federal, state and local governments to ensure there is a flexible, consistent framework for automated vehicle technologies so consumers can fully realize the benefits as quickly as possible.”
- Mothers Against Drunk Driving (MADD) was more supportive, with their national President Colleen Sheehey-Church stating, “MADD is proud to support the Department as it releases its policy on automated vehicles because we see a future where self-driving cars will save thousands of lives on our roads. A self-driving car can’t get drunk. A self-driving car can’t get distracted. And a self-driving car will follow the traffic laws and prioritize safety for pedestrians and bicyclists.
Consumer groups have raised concerns that the guidelines do not go far enough to ensure public safety and consequently have called for NHTSA to develop standards.
- Marta Tellado, President and CEO of Consumer Reports, commented, “Consumers need more than just guidelines. This new policy comes with a lot of bark, but not enough bite. While these technologies have the potential to save lives, there must be strong federal standards to protect all drivers.… We urge the Transportation Department to move quickly to put actual safety standards in place for how these systems are designed and tested, before these vehicles wind up on the road.”
Ride sharing companies, such as Uber and Lyft, also raised concerns about the policy because of concerns that it would slow the broad release of HAVs.
- Lyft has called for reciprocity among the states, stating reciprocity would “accelerate the ability for deployment of HAVs across the nation for vehicles whose operational design domains have already been safely and successfully tested or deployed elsewhere.”
- Uber had a stronger statement against the policy. “While NHTSA is right to prioritize safety as critical to building consumer trust, the hurdles proposed in the policy will likely slow the technology’s introduction to consumers without any corresponding safety benefits. We believe it risks creating an uncertain environment for industry, creates unnecessary hurdles to bring this technology to market, does not materially improve vehicle or road safety, and stands to inhibit local innovation in determining which operational rules work best for what is still an emerging technology.”
Other groups voiced concerns that the policy does not address their industry needs.
- For example, the American Trucking Associations noted, “It is disconcerting that the department and the administration have developed these guidelines with virtually no involvement from the trucking industry, and any safety and highway infrastructure debate and regulatory framework that excludes trucking is incomplete.”